I've been playing with OpenSwan the last week and learned how to revoke certificates in the process. Usage of the CRL cert...
In my slapd.conf's I have:
TLSCACertificateFile /etc/ldap/cacert.pem TLSCertificateFile /etc/ldap/ldapsrv?_domain_tld.pub TLSCertificateKeyFile /etc/ldap/ldapsrv?_domain_tld.prv TLSVerifyClient try
Where would the CRL cert fit in this? From what I can tell of the man page, nowhere.
I have authentication with X.509 certificates enabled (not that anyone's using that at the moment, but...) so I would like the chance of making sure to reject revoked certificates...
Turbo Fredriksson wrote:
I've been playing with OpenSwan the last week and learned how to revoke certificates in the process. Usage of the CRL cert...
In my slapd.conf's I have:
TLSCACertificateFile /etc/ldap/cacert.pem TLSCertificateFile /etc/ldap/ldapsrv?_domain_tld.pub TLSCertificateKeyFile /etc/ldap/ldapsrv?_domain_tld.prv TLSVerifyClient try
Where would the CRL cert fit in this? From what I can tell of the man page, nowhere.
Read the slapd.conf(5) manpage again, look for the TLSCRLCheck keyword.
Quoting Howard Chu hyc@symas.com:
Turbo Fredriksson wrote:
I've been playing with OpenSwan the last week and learned how to revoke certificates in the process. Usage of the CRL cert... In my slapd.conf's I have: TLSCACertificateFile /etc/ldap/cacert.pem TLSCertificateFile /etc/ldap/ldapsrv?_domain_tld.pub TLSCertificateKeyFile /etc/ldap/ldapsrv?_domain_tld.prv TLSVerifyClient try Where would the CRL cert fit in this? From what I can tell of the man page, nowhere.
Read the slapd.conf(5) manpage again, look for the TLSCRLCheck keyword.
Doesn't exist in man manual. When did that come? I'm running OpenLDAP v2.2.28.
--On Tuesday, November 07, 2006 10:32 PM +0100 Turbo Fredriksson turbo@bayour.com wrote:
Quoting Howard Chu hyc@symas.com:
Turbo Fredriksson wrote:
I've been playing with OpenSwan the last week and learned how to revoke certificates in the process. Usage of the CRL cert... In my slapd.conf's I have: TLSCACertificateFile /etc/ldap/cacert.pem TLSCertificateFile /etc/ldap/ldapsrv?_domain_tld.pub TLSCertificateKeyFile /etc/ldap/ldapsrv?_domain_tld.prv TLSVerifyClient try Where would the CRL cert fit in this? From what I can tell of the man page, nowhere.
Read the slapd.conf(5) manpage again, look for the TLSCRLCheck keyword.
Doesn't exist in man manual. When did that come? I'm running OpenLDAP v2.2.28.
I'm guessing 2.3, since it is the man page there. You may want to consider upgrading.
--Quanah
-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
On Nov 7, 2006, at 1:55 PM, Quanah Gibson-Mount wrote:
--On Tuesday, November 07, 2006 10:32 PM +0100 Turbo Fredriksson turbo@bayour.com wrote:
Quoting Howard Chu hyc@symas.com:
...
Read the slapd.conf(5) manpage again, look for the TLSCRLCheck keyword.
Doesn't exist in man manual. When did that come? I'm running OpenLDAP v2.2.28.
I'm guessing 2.3, since it is the man page there. You may want to consider upgrading.
Also note that SSL version may play a role in this - won't be supported with OpenSSL 0.9.7c or lower. Some common Linux distributions install 0.9.7b.
Once you get it working, it's a bit of trouble to keep it working, unless there's some way I don't know to import the CRL without restarting the server. Since the CRL will regularly expire, you can't just let it go - even if you have nothing to add to it, you have to update it and restart. You can avoid that particular problem by making an exception for X509_V_ERR_CRL_HAS_EXPIRED, in tls.c:tls_verify_cb(), but that will help only if your CRL is not very active.
I don't think it's OpenLDAP's fault, OpenSSL X509_STORE_add_crl() wouldn't update an existing CRL anyway. I proposed a fix to that, but don't believe I got any response.
Donn Cave, donn@u.washington.edu
Donn Cave wrote:
On Nov 7, 2006, at 1:55 PM, Quanah Gibson-Mount wrote:
--On Tuesday, November 07, 2006 10:32 PM +0100 Turbo Fredriksson turbo@bayour.com wrote:
Quoting Howard Chu hyc@symas.com:
...
Read the slapd.conf(5) manpage again, look for the TLSCRLCheck keyword.
Doesn't exist in man manual. When did that come? I'm running OpenLDAP v2.2.28.
I'm guessing 2.3, since it is the man page there. You may want to consider upgrading.
Also note that SSL version may play a role in this - won't be supported with OpenSSL 0.9.7c or lower. Some common Linux distributions install 0.9.7b.
True. On older OpenSSL distributions the TLSCRLCheck keyword will not be recognized, and should trigger an error when parsing slapd.conf.
Once you get it working, it's a bit of trouble to keep it working, unless there's some way I don't know to import the CRL without restarting the server. Since the CRL will regularly expire, you can't just let it go - even if you have nothing to add to it, you have to update it and restart. You can avoid that particular problem by making an exception for X509_V_ERR_CRL_HAS_EXPIRED, in tls.c:tls_verify_cb(), but that will help only if your CRL is not very active.
I don't think it's OpenLDAP's fault, OpenSSL X509_STORE_add_crl() wouldn't update an existing CRL anyway. I proposed a fix to that, but don't believe I got any response.
Yes, I see this is still true in the current release (OpenSSL 0.9.8d) as well. Googling the OpenSSL mailing lists doesn't turn up your proposed fix, have you got a pointer to that?
On Nov 7, 2006, at 4:06 PM, Howard Chu wrote:
Donn Cave wrote:
...
I don't think it's OpenLDAP's fault, OpenSSL X509_STORE_add_crl() wouldn't update an existing CRL anyway. I proposed a fix to that, but don't believe I got any response.
Yes, I see this is still true in the current release (OpenSSL 0.9.8d) as well. Googling the OpenSSL mailing lists doesn't turn up your proposed fix, have you got a pointer to that?
I resubmitted it, now [openssl.org #1424]
Donn Cave, donn@u.washington.edu
Turbo Fredriksson wrote:
Quoting Howard Chu hyc@symas.com:
Turbo Fredriksson wrote:
I've been playing with OpenSwan the last week and learned how to revoke certificates in the process. Usage of the CRL cert... In my slapd.conf's I have: TLSCACertificateFile /etc/ldap/cacert.pem TLSCertificateFile /etc/ldap/ldapsrv?_domain_tld.pub TLSCertificateKeyFile /etc/ldap/ldapsrv?_domain_tld.prv TLSVerifyClient try Where would the CRL cert fit in this? From what I can tell of the man page, nowhere.
Read the slapd.conf(5) manpage again, look for the TLSCRLCheck keyword.
Doesn't exist in man manual. When did that come? I'm running OpenLDAP v2.2.28.
It went into HEAD sometime in 2004. It was released in 2.3, so first public availability would have been around March 2005. You probably ought to subscribe to the OpenLDAP-announce mailing list, if you're not even aware of what versions are out.
Quoting Howard Chu hyc@symas.com:
You probably ought to subscribe to the OpenLDAP-announce mailing list, if you're not even aware of what versions are out.
I was, but apparently I've been unsubscribed. I get so much mail anyway, so I didn't notice :)
Thanx. I'll see if I can (have time) to upgrade. It's not a show-stopper for me.
openldap-software@openldap.org
-
Donn Cave -
Howard Chu -
Quanah Gibson-Mount -
Turbo Fredriksson